CVE-2019-12278: 
NixOS vulnerability analysis and mitigation

Opera for Android browser was found to be vulnerable to an address bar spoofing vulnerability (CVE-2019-12278). The issue affects Opera Browser version 52.1.2517.139570 and earlier versions, impacting over 2.8 million devices. The vulnerability was discovered in May 2019 and involves the mishandling of certain Unicode characters from languages such as Persian and Arabic that are displayed in right-to-left order (Opera Spoofing).

The vulnerability exploits the Unicode Bidirectional Algorithm where specific Unicode characters (such as U+08FF, U+FB50) are rendered from right to left. This behavior allows attackers to manipulate URL display in the address bar. The browser fails to properly handle these special characters and instead of showing URLs in Punycode format, it renders them in a way that could deceive users (Opera Spoofing).

The vulnerability poses a significant security risk as it allows attackers to spoof legitimate website URLs in the address bar, potentially deceiving users into believing they are visiting trusted websites. This is particularly concerning as the URL bar is often the primary security indicator for non-technical users, and the spoofing can occur even with HTTPS padlock indicators present (Opera Spoofing).

The vulnerability was reported on May 21, 2019, and was fully fixed by July 29, 2019. The solution involves ensuring all URLs are rendered consistently from left to right and implementing proper handling of Unicode characters in accordance with RFC standards (Opera Spoofing).